Welcome to my blog. I found a malicious code that was added into the wmime.exe file. Due to infection by malicious code, the file contents changed. The MD5 value of the infected file is: 51578a476091dd9cc17be4c2f5af7d45, and the file size is:
2.7 MB ( 2,808,832 bytes )

Risk level of malicious code

( 3 stars by 176 users )

Behavior of malicious code ( 334 votes ) If you know more this malicious code, please vote. We sincerely hope you may share your information with other computer users and help them.

1. Infect file

15.27% (51)

2. Intentionally destroy data

11.68% (39)

3. Steal personal privacy

12.87% (43)

4. Infect other computers through the Internet

9.88% (33)

5. Install the backdoor program so that the computer is controlled remotely

11.08% (37)

6. Cheat or threaten users to buy something

15.87% (53)

7. Download and install other programs without permission in the background

13.17% (44)

8. Pop up various advertisements and induce users to click

10.18% (34)

Binary Code Analysis:

When the program runs, the PE loader will try to load the file to 0x00400000 in the virtual address space, Address Of Entry Point: 0x007084BD. This file has 13 SECTION.

DOS Header

DOS Stub...

NT File Signature

NT HEADER

FILE HEADER

OPTIONAL HEADER

Data Directory

.text SECTION #1

.itext SECTION #2

.data SECTION #3

.bss SECTION #4

.idata SECTION #5

.didata SECTION #6

.tls SECTION #7

.rdata SECTION #8

.Nieo0 SECTION #9

.rsrc SECTION #10

.Nieo1 SECTION #11

.Nieo2 SECTION #12

.reloc SECTION #13

Name

Virtual Size

Virtual Address

Size Of Raw Data

Pointer To Raw Data

Pointer To Relocations

Pointer To Linenumbers

Number Of Relocations

Number Of Linenumbers

Characteristics

SECTION #1

.text

0x00250110

0x00001000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x60000020

SECTION #2

.itext

0x00001DD8

0x00252000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x60000020

SECTION #3

.data

0x0000A550

0x00254000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0xC0000040

SECTION #4

.bss

0x000F8F30

0x0025F000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0xC0000000

SECTION #5

.idata

0x00004104

0x00358000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0xC0000040

Name

Virtual Size

Virtual Address

Size Of Raw Data

Pointer To Raw Data

Pointer To Relocations

Pointer To Linenumbers

Number Of Relocations

Number Of Linenumbers

Characteristics

SECTION #6

.didata

0x0000044E

0x0035D000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0xC0000040

SECTION #7

.tls

0x00000048

0x0035E000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0xC0000000

SECTION #8

.rdata

0x00000018

0x0035F000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x40000040

SECTION #9

.Nieo0

0x0002FA1C

0x00360000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x60000060

SECTION #10

.rsrc

0x000BFC00

0x00390000

0x00007E00

0x00000400

0x00000000

0x00000000

0x00000000

0x00000000

0x40000040

Name

Virtual Size

Virtual Address

Size Of Raw Data

Pointer To Raw Data

Pointer To Relocations

Pointer To Linenumbers

Number Of Relocations

Number Of Linenumbers

Characteristics

SECTION #11

.Nieo1

0x00148498

0x00450000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x00000000

0x20000020

SECTION #12

.Nieo2

0x002A5689

0x00599000

0x002A5800

0x00008200

0x00000000

0x00000000

0x00000000

0x00000000

0xE2000060

SECTION #13

.reloc

0x000000A4

0x0083F000

0x00000200

0x002ADA00

0x00000000

0x00000000

0x00000000

0x00000000

0x42000040

About this malicious code

This malicious code is a 32-bit program that infects an EXE file. When the file is run or the file is loaded, the malicious code in the file is run first. Later, this malicious code also infects the following files:

Tip: There is something I must emphasize. The file names listed above are infected by malicious code. It does not mean that all files named by these names are malicious files. It is inaccurate to determine whether a file is a malicious program based on its file name.

Tip: The code of most malicious files is fixed, rarely changed, which means, this type of malicious files regardless of which computer they are in, will copy themselves into the pre-set path, so we can go to the path listed above to find this file, and there is a great chance to find it.

Are all the files with the same file name listed above and with the same path malicious files?

Of course not. The file name is just the identification of the file. Strictly speaking, the file is modified by malicious code.

The following are methods commonly used by malicious code in order to confuse users:

• Deliberately modify their own file name to some system file name, or some well-known software name.

• Generate malicious files in the system folder or in the installation folder of some well-known software, and even name their own folder with an antivirus software name (actually the user did not install this antivirus software). In fact, these malicious files are not system files, nor part of the famous software.

For example, one of the most common system file names is: explorer.exe, and under normal circumstances, the system only has an explorer.exe process. When you open the Task Manager and find that there are two or more explorer.exe processes, it is likely the camouflage of some malicious viruses. As shown in the following figure, there are two explorer.exe processes in Task Manager.

When I find the path where the file is located, it will be clear that the real explorer.exe system file is located under "C:\ Windows\", and the malicious file that pretends to be system process is under the other path.

The running status of the wmime.exe file that is infected with malicious code:

Take up memory 289KOccupy CPU resources between 33% - 50%Run the program with the Administrator permissions.

At runtime, 18 Windows system files, 1 external files (not owned by the Windows system), are called

Windows system files

File name

Number of calling functions

oleaut32.dll

1

advapi32.dll

1

user32.dll

1

kernel32.dll

1

msimg32.dll

1

gdi32.dll

1

version.dll

1

SHFolder.dll

1

ole32.dll

1

comctl32.dll

1

winspool.drv

1

shell32.dll

1

comdlg32.dll

1

winmm.dll

1

netapi32.dll

1

psapi.dll

1

user32.dll

1

kernel32.dll

6

Not owned by the windows system

File name

Number of calling functions

IJL15.DLL

1

In general, the most accurate way to determine if a file is a malicious file is to analyze its code and see what happens when these functions are called while the program is running. Does it have malicious behavior (destroying data or stealing data)? I have listed the functions called by this file and some internal data, but there is too much data, I can't show them all here. →Click here← to see the full binary code analysis page.

wmime.exe runtime behavior analysis

The advapi32.dll dynamic link library is loaded and the functions in the file are called: ( Advapi32.dll is part of a high-level API application interface service library that contains functions related to object security, registry manipulation, and event logging. It is generally located in the system directory: \WINDOWS\system32\ )

The kernel32.dll dynamic link library is loaded and the functions in the file are called: ( Kernel32.dll is a very important 32-bit dynamic link library file in the Windows operating system. It is a kernel-level file. It controls the system's memory management, data input and output operations and interrupt handling. When the Windows operating system starts, kernel32.dll resides in a specific write-protected area of memory, so that other programs cannot occupy this memory area. )

GetModuleHandleA: Retrieves a module handle for the specified module. The module must have been loaded by the calling process.

LoadLibraryA: Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded.

GetModuleFileNameA: Retrieves the fully qualified path for the file that contains the specified module.

ExitProcess: Ends the calling process and all its threads.

The following files have been identified as malicious files. Some files are variants of wmime.exe; some files are another type of malicious file, but use the same file name as wmime.exe.

It is a simple and effective way to determine whether a file is a malicious file by a hash value, which has lower false detection rate than the "static signature" method. So, if the MD5 value of a file on the computer is the same as the MD5 value listed below, then it is sure that the file is a malicious file.

This is my analysis results to the code of each malicious below, mainly provided to industry professionals who engage in the maintenance of computer security. If you are interested, you can also have a view, but it may require certain computer knowledge.

This is free virus detection software, and it can be well compatible with many well-known anti-virus software, so users do not have to uninstall anti-virus software on the computer.

It is "environmentally friendly" for computers. After downloading, it can be used by decompression and without installation. In the process of running, it will not write any information to the registry, nor create any new files to the Windows folder of the system disk. When you do not need it, you can delete it. It will not leave any spam information on your computer.

When you find your operating system is abnormal, and the file name listed above appears in the Task Manager, or there are several processes in running with the same name as the core file name, it is best to download the anti-virus software to check your system.

Online detection of wmime.exe

If you don't know if wmime.exe is infected with malicious code on your computer, you may also use online scan tool.

• Use the following online detection function to check the file.

• Enter the file name, or file MD5, for the query.

• You can also scan a file online. Click the "Upload File" button, and then click the "submit" button, to immediately detect whether the file is a virus. (Tip: The maximum size of the file uploaded cannot exceed 8MB)

How do I use the T21 engine for online scanning?

T21 can detect unknown files online, mainly using "behavior-based" judgment mechanism. It is very simple to use T21.

1. Click the "Upload File" button, select the file you want to detect, and then click "Submit".
2. The next step is to wait for the system to check, which may take a little time, so please be patient.
3. When the T21 scan engine finishes detection, the test results are immediately fed back, as shown below:

• If you suspect that there are malicious files on your computer, but you cannot find where they are, or if you want to make a thorough check on your computer, you can download the automatic scanning tool.

If you want to know what kind of T21 system is, you can click here to view the introduction of T21. You can also go to the home page to read the original intention and philosophy of my development of T21 system.

»[April 27, 2019]Sergei Zolotarev say: I am playing CDs on my computer or listening to MP3 music on my hard disk. But when I run Photoshop ......Reply: This kind of fault may be caused by the computer configuration being too low. For example, the CPU f …View >>>

»[April 09, 2019]Guest say: The CPU is a newly purchased boxed Celeron D 2.8GHz. The motherboard is a Mercedes 865PE. The temper ......Reply: This happens because the objects detected by the two are different. AID32 and HWiNFO detect the temp …View >>>

»[April 05, 2019]amlan say: When I played a song on my computer, I sometimes plugged in the earphones and found that the sound o ......Reply: This situation can be caused by the following reasons:The impedance of the headset. Normally used he …View >>>

»[March 26, 2019]Alok say: When the scanner is turned on, the "SCSI card not found" error message appears. What happened?Reply: This is because the fuse is set on the SCSI card. When a bad circuit condition (voltage instability …View >>>

»[March 06, 2019]utkrasht say: My computer uses the Geforce2 MX400 graphics card, but it is not very smooth when playing some 3D ga ......Reply: From the enumerated phenomenon, there may be problems with high-end video memory. In general applica …View >>>

»[March 01, 2019]feine dish say: I bought a brand computer with a monitor. It started to work normally, but it didn't take long to ge ......Reply: This situation is not necessarily caused by damage to the monitor or quality, but may be caused by t …View >>>